We recently featured a webinar from CA Veracode Senior Security Researcher, Isaac Dawson, on why we should not gauge the effectiveness of a particular scanner by only looking at the results from scanning these public test sites.

Isaac Dawson: The reason that I was looking at all these public test sites was primarily that our customers, when they first do a comparison of our scanner versus other scanners, they run these public test sites. We need to make sure that we are finding all the issues that everybody else finds and more if possible and we need to do this for every release of our scanner. Anytime we make any changes we need to make sure that we find the same issues.

Q: Does CA Veracode offer a test site for people who want to test drive the CA Veracode application scanner?

Isaac Dawson: We believe it is not a good idea to do that, so we do not have a test site running.

Q: What is your recommendation for the ideal way to test a scanner? You mentioned open source options, can you tell us a little bit more about how you would recommend testing prior to purchase?

Isaac Dawson: Sure. It depends entirely on your technical skill level. If you are not comfortable running or creating your own test cases to make sure that the scanner can handle specific types of coverage issues like going through stretch frameworks or coding your own vulnerabilities to test the scanner, there are some open source applications available. Examples of open source applications that you can download are VBWA, Webstore and Hacme Bank. All of these applications are available for download. They are open source, so you can get them installed, review the code to see exactly why it is a vulnerability and why the scanner can or cannot find it.

Q: Are there any other test sites that you didn't include in this review?

Isaac Dawson: There are a number of test sites that are not included. There are a few from Acunetix. If you are looking at a new scanner and if the organization is locking you into scanning that specific site, be aware that you need to go above and beyond just scanning that single site with multiple scanners, you need to do more in-depth analysis.

Q: If people are working on doing their own scanner, can they get in contact with you to talk about it?

Get all the latest news, tips and articles delivered right to your inbox.

Cookie Use

We use cookies to collect information to help us personalise your experience and improve the functionality and performance of our site. By continuing to use our site [without first changing your browser setting], you consent to our use of cookies. For more information see our cookies policy.